2014
02.24

Two well known media-whores from the console warez scene recently revealed via posts on several websites (wiiuhax for example) that they got hold of the plaintext of the Wii U Espresso Bootrom. Because these people have no idea about console hacking and are just good/bad at overhyping things they don’t understand and didn’t write in the first place (props to Maxternal & MarioNum1 for the work on implementing fail0verflow’s exploit revealed back in December), I thought I would write a quick article about what having an Espresso Bootrom dump does.

TL;DR: Nothing. It’s just a first step towards potentially implementing a more complex exploit that allows getting PowerPC ancast decryption keys. In itself it is completely useless.

The Espresso bootrom

This bootrom which was dumped is the first code that runs on the Wii U PowerPC “Espresso” CPU. Its role is to check the signature of a PowerPC binary, decrypt it, lock access to decryption keys and bootrom code, then run it. It is a new security measure that did not exist on the Wii “Broadway” CPU, which simply ran unsigned binaries.

In practice, this bootrom is useless because of a stupid TOCTTOU vulnerability. It is possible to run any unsigned code on the Espresso, and this was disclosed by fail0verflow back in May 2013. Getting the bootrom plaintext does not provide any more information towards that since it is already broken.

On top of that, fail0verflow described in great details how the bootrom works internally in their talk at 30c3. Getting the plaintext of the bootrom is not really any help there since you could just read the slides and know everything it does. The only useful information that was not (as far as I know) provided is the location of the keys (SPRs/MMIO addresses?), but since the bootrom lock access to keys after it has run, this is not useful information in itself.

So what does it provide?

For the developers working on this hacking project: a step forward that allows them to implement the more interesting HRESET race attack. This attack was also described by fail0verflow in their 30c3 talk and allows corrupting the internal state of the CPU using short hardware reset pulses. It is way more difficult to implement than the basic SRESET race used to get a bootrom dump so at the current speed I wouldn’t expect anything new in that area for a few weeks/a month.

For users, pirates, etc.: nothing. While this small step was overhyped by media-whores using fake images of Wii U GamePads with cool pictures on them, it does not provide any more access to the console than was previously possible. The only new useful information from that dump is the location of the keys, which is not useful by itself. It is far from being “one giant leap for the wii-u scene” as announced. Don’t trust stupid people.

Update: marcan’s take on this

marcan from fail0verflow was the first person to implement this exploit a year ago and disclosed it at 30c3 2 months ago. His take on it:

It serves precisely three purposes:

1. It paves the way for a different exploit which, while ALSO not breaking anything not broken, and ALSO being useless for homebrew/piracy, makes it slightly easier to analyze the rest of the system once you do break it using yet another completely unrelated exploit.
2. It’s cute and cool. We’re hackers, we like breaking things even if it’s useless. We also like laughing at Nintendo because they clearly didn’t intend for this to happen, even though it’s rendered moot by other flaws in the system.
3. Unfortunately, it also gives harryoke an excuse to post more utter nonsense and a completely fake gamepad photo that has nothing to do with any of this.

In other words, it allows MarioNumber1 to say he dumped the boot rom (good job!), and if he implements the HRESET exploit, and if he implements an undisclosed, completely unrelated, much more complex Wii U mode exploit, then he will have a slightly easier/more convenient time reverse engineering the rest of the system. It’s not even a make-or-break thing, just a slight convenience.

Really, we did it because number 2.

And yes, Nintendo can’t fix this on existing consoles, but even if they fix it on newer ones it’s completely fucking irrelevant because only a single person in the world has to use this exploit once, ever, and after that it’s completely and utterly useless for every purpose, period. The only purpose of this exploit is to learn more about how the console works.